The Latest Strains of Attacks on the Pharmaceutical and Healthcare Sector

Schools were shut down due to high levels of absences and for sanitation purposes. Medical facilities were overflowing with patients. Visitor restrictions at hospitals and nursing facilities were in full force. Thankfully the flu season is starting to wind down, but this has been a particularly nasty episode. Several reasons have been cited, including the circulation of a particularly severe form of the flu virus that can cause more health complications, as well as local shortages and limited effectiveness of vaccines and antiviral medications against certain strains.

But these aren’t the only types of attacks that the pharmaceutical and healthcare sectors have had to contend with. Cyber attacks, campaigns and security incidents continue to plague these industries that remain lucrative targets primarily because of the type of information they hold, including personal health information (PHI) such as medical records and insurance information, personally identifiable information (PII), and financial information. The value of this data to financially-motivated threat actors is evident by continued extortion attempts against companies in this sector and data breaches. Let’s look at a few recent examples.

● Extortion attacks, the now infamous ransomware attacks we read about daily, are affecting all sectors and healthcare and pharmaceutical companies are not immune. The personal and sensitive information they hold, offer lucrative opportunities for threat actors to conduct identity theft, fraud and sell data to other threat actors.

Last October the threat actor, thedarkoverlord, appears to have been hard at work. A U.S.-based clinic was the target of an attempted extortion attack following a data breach that contained PII and some health-related information. The threat group mentioned the attack on Twitter but there has been no indication that the data has been publicly released. Around the same time, there was another report of a U.K.-based healthcare clinic that suffered a data breach and received an extortion demand from thedarkoverlord. An unspecified amount of data was reportedly stolen, which included PII, as well as pre- and post-operative photographs. As in the first case, there has been no indication that the data is widely available – yet.

These are just two examples of the repeated attacks by thedarkoverlord against healthcare organizations. While details aren’t clear as to how they are able to gain access to victims’ networks, they have alluded to using zero-day exploits in remote desktop protocol (RDP) servers.

● Data breaches can have long-lasting impacts on organizations and individuals. Just consider the Yahoo breaches if you have any doubts. In the healthcare industry we see the same thing. Late last year the HaveIBeenPwned website added approximately four million records from Malaysian websites to its data repository. The data was obtained reportedly from multiple companies, many in the healthcare industry, and appears to have been sourced in 2012. It includes PII, physical addresses, government-issued ID numbers and some credentials. The data was allegedly freely available to download on a hidden service and was likely accessed by a variety of threat actors for a range of malicious purposes including social engineering attempts, identity theft and account compromise.

Just as healthcare and pharmaceutical companies continuously look for more effective vaccines and protocols to contain outbreaks and mitigate consequences from the flu, what can these sectors do to boost their defenses against cyber threats and comply with legislation such as the Health Insurance Portability and Accountability Act (HIPAA)?

It starts with a defense-in-depth strategy guided by four main principles. These include: use of host-based firewalls and IP-whitelisting measures, segmenting networks and restricting workstation-to-workstation communication, applying patches and disabling unneeded legacy features, and restricting access to important data to only those who are required to have it.

But as I have previously discussed, you also need visibility outside your organization and across the widest range of data sources possible to mitigate digital risk and better protect your organization. Digital risks include cyber threats, data exposure, brand exposure, third-party risk, VIP exposure, physical threats and infrastructure exposure. Often these threats and risks span data sources and cannot be detected in full context by any point solution or even by multiple solutions used in isolation.

In these examples of extortion attacks and breaches, monitoring social media for mentions of your company, IP addresses, and even industry can help you determine if you’ve been targeted or may be, so you can proactively strengthen defenses. Threat actors may also post messages via social media or to Pastebin to apply pressure to the CEO to pay the ransom. Access to hacked RDP sites will allow you to check for mentions of your IP addresses. And monitoring the dark web can provide information on threat actor profiles to understand their motivation and gauge credibility.

An approach that combines monitoring across the entire Internet for risks to your business, with a defense-in-depth strategy, won’t stop every case of what ails you. But it will get you on the road to a full recovery faster and boost your defenses and compliance in advance of the next “flu” season.

Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.